-
Notifications
You must be signed in to change notification settings - Fork 1
Features
Nong Hoang Tu edited this page Oct 2, 2024
·
3 revisions
rkcheck provides the tool name rkscanmal that can:
- Scan files
- Scan process's memory
- Find user-land rootkit's library using function's address comparison
Developed as "as effective as possible" in mind, rkscanmal engine has features:
- Support both Yara signatures (either cleartext or compiled rules) and ClamAV signatures.
- Collect various information of a running process (from ProcFS) so scan a process is not limited to string scan, but can perform more heuristic detection like reverse shell, thread masquerading or self delete malware